Ever wondered how a trojan infected computer gets its orders to spam? Take a peek with me into one trojan’s junkmail activities. The following account is happening as I type, and shows that some image spam is not unique even though it appears to be random.

The smtp sending trojan first phones home for its task list, via http on the smtp port (25). Port 25 on the host machine is running Apache/1.3.37 — this is a very unusual place to find apache running.

The task list looks like this:

$GET "http://example.com:25/outtask/urlTask8_c_2.txt?id=MAGID-ID-STRING&flag=1"
10
12|http://serv2.example.com/outtask/tasks/task_12_letter_1162390208.txt|
http://get.example.com:8092/cgi-bin/cgi2.cgi|
http://serv2.example.com/report2.cgi|1||
http://mail.example.com:8888/cgi-bin/put|

20|http://serv2.example.com/outtask/tasks/task_20_letter_1162390209.txt|
http://get.example.com:8091/cgi-bin/cgi2.cgi|
http://serv2.example.com/report2.cgi|1||
http://mail.example.com:8888/cgi-bin/put|

22|http://serv2.example.com/outtask/tasks/task_22_letter_1162390209.txt|
http://get.example.com:8092/cgi-bin/cgi2.cgi|
http://serv2.example.com/report2.cgi|1||
http://mail.example.com:8888/cgi-bin/put|

^{(line breaks and spaces added for readability)}

The response it got is in the following format:
“tasknumber|spam-text URL|Address-list URL|Report address|1||Report address2|”

So in the example above, the bot got 3 tasks. We’ll take a look at the first one in more detail….
Read the rest of this entry »

McAfee Avert have received several samples of a spammed Word DOC file called “McAfee Inc. Reports.doc” (size 205,824 bytes). This trojan file carries a macro that, if allowed to run, will drop on the harddisk and execute a file called “LS060E5.eXE” (size 27,648 bytes).

Detection of both files was added to 4887 DATs (02 Nov 2006) under W97M/Kukudro.t and the PWS-LDPinch names, respectively.

What makes this incident worth mentioning is that the spammers appear to have used a mcafee@{domain}.com template for their spoofed emails (we have seen many domain names used – e.g. “europe”, “playful”). This was picked up by the media http://www.net-security.org/virus_news.php?id=710 which, unfortunately, was ambiguous enough to generate certain levels of confusion.

Some readers who did not follow the link to the description on the Kaspersky site clearly missed the statement “Kaspersky Lab believes that McAfee is in no way involved in the distribution of this Trojan“. As a result we started receiving questions like “Did you really..?”

For those interested to find the answer to this question please follow the link to one of our earlier posts on this subject - http://www.avertlabs.com/research/blog/?p=28 “Can I trust myself?”.

Microsoft recently posted Security Advisory (927892) for a critical vulnerability in Microsoft XML Core Services. This vulnerability was discovered in the field and allows for remote code execution. This equates to another means for drive-by attacks via Internet Explorer. Exploitation is not believed to be wide spread at this time, but we can expect exploit code to become public early in the week at which point exploitation will pick up exponentially.

Workarounds include setting the kill bit for the XMLHTTP 4.0 ActiveX Control and modifying Internet Explorer’s security settings. For more information, see:
http://www.microsoft.com/technet/security/advisory/927892.mspx

McAfee Avert Labs is currently analyzing this threat.

The threat landscape is constantly changing, and our technology must adapt and change as well. Long gone are the days when malware authors were primarily novice coders (or script kiddies). Today we see evidence of the rise of organized crime in malware creation, where development teams are creating malicious software, testing it, automating its production and release. Sophisticated techniques such as polymorphism, the recurrence of parasitic infectors, rootkits, and automated systems with cycling encryption releasing new builds constantly are becoming more prevalent. Furthermore, it is difficult to remember the last time I worked on a sample that was not packed or encrypted, or obfuscated in some attempt to disguise its nefarious purpose. There are many examples, but some stand out in my mind: w32/Stration, w32/Bacalid, and w32/Polip.

The increase in sophistication signals an acceleration of the ongoing arms race between malware authors and security research organizations. IT Organizations must constantly upgrade, patch and deploy the latest software and fixes to keep their networks secure. The release of the 5100 AV Engine by McAfee is a major weapon in the arsenal of McAfee customers for fighting malware. The 5100 engine has upgraded capabilities which allow Avert Labs researchers to more effectively detect new malware generically, or old malware that has been obfuscated. Our internal testing data indicates that the 5100 engine may provide as much as 30% improved detection performance over the 4400 engine. This 30% is provided by the 5100 engine’s capability to deobfuscate the malicious code.

This is proactive detection, provided by McAfee’s newest weapon in the fight against malware.

Avert strongly recommends anyone using McAfee AntiVirus or AntiSpyware products to upgrade to the latest engine.

Further Information and Engine Download Here

Within the last month we’ve seen a spike of new W32/HLLP.Philis variants being posted primarily on Chinese sites. This goes to further underscore the point in our last blog about the importance placed in the malware authoring community of frequent new variants and the recurrence of parasitic infectors.

What makes this particularly notable is that most of these virus-laden postings were from links included in blog and forum posts.

Comment spam is nothing new, malware-related comment spam has specifically been reported for a number of months. This serves as a reminder that malware authors are constantly keeping up with trends in technology. Regardless of whether something is reasonably new, if it’s something that’s popular it’ll be a good “return on investment” for their malicious purposes.

Hackers are trying to use the good reputation of Wikipedia to lure unsuspecting users into executing malware. The very openness of Wiki that allows users to freely add or edit available content has made it an attractive target for virus authors to plant malicious code in articles. A POC worm targeting Wiki was discovered earlier in August of this year.

In a recent incident, an email was mass spammed to German computer users requesting them to download a security fix for a new variant of the infamous Blaster worm. The email was crafted to supposedly appear from Wikipedia, complete with an official Wikipedia logo. The email directed users to a fixed Wikipedia article which included a link to malware hosted on an external site.

Editors at Wikipedia were quick to fix the misleading content in the article. However since Wiki stores all previous revisions to an article, the attacker was able to direct users to the archived pages via the spammed email. Wikipedia administrators had to finally erase all old versions of the article to resolve the issue.

As malware authors continue to improve social engineering techniques, public community sites like MySpace, Orkut, Wikipedia et al will have to adapt and modify their policies with regards to posting and editing content. One can take a cue from webmail providers like Hotmail and Yahoo that have implemented mandatory virus scanning of attachments, to have all content scanned by an antivirus before being posted. This will help prevent mischief makers from creating toxic pages.

Update: A detailed anaylsis of this threat can be viewed at the McAfee Avert Labs Threat Library. Trojan Nordex: http://vil.nai.com/vil/content/v_140856.htm.

It would seem MySpace is looking at the possibility of expanding to China, while at the same time Chinese websites are experiencing a significant amount of traffic in malware comment-spam. It seems to me, unless MySpace gets significantly more involved in making sure the possibility of the XSS vulnerabilities that were used by previous malware are covered, this could be a recipe for disaster. This is a potentially huge source of revenue for the people at News Corp, but also for adware affiliates and malware distributors.

But really, MySpace isn’t the only one that needs to take note of this. It’s really time for Web 2.0 to have a paradigm shift.
These websites were started by individuals, and intentionally left to be developed and made great by its user base. They’re all highly customizable, letting you include an incredible amount of your own content. On the one hand this is a brilliant idea, and has made the internet a much more compelling “place”. (Or is that “tube”?) On the other hand, no one gave much thought to security as these places were being built up. The news has been liberally littered lately, with stories about various user-driven sites being used to distribute malware.

Without this change of direction, it could be that within a couple years these sites may become functionally unusable – they’ll be crushed by the very thing that made them revolutionary.

I, for one, hope this does not come to pass.

Recently one of our researchers, David Rayhawk, gave an interview to Fox news on mobile malware and smishing.

Fox News 35 has the video on their site. There is also a mirror on Google video. The interview covered topics such as data destroying malware and the advent of smishing and for-profit malware. We have covered these topics in earlier posts.

While the current threats are not very widespread, the samples we’re seeing indicate that the capability for greater trouble is approaching.

After Exploit-WMF and umpteen image file format exploits that followed, general computer users should understand that something not baring the file extension *.EXE
does not imply they are safe to view. Malware crafted out of document and media file formats are nothing new; nor are they a threat unique to Windows users. Before Word document 0-day’s made it into mainstream news headlines, there were text file exploits. More recently, there was Exploit-WinAmpPLS playing a spyware note; and a Microsoft security advistory for five critical Flash Player vulnerabilities today; as the music plays on.

Today, McAfee Avert Labs discovered W32/Realor.worm in the wild that was actively modifying all Real Media (*.rmvb) files in its path. These “infected” media files launch a malicious webpage without prompting, as they are being viewed by the user in Real media player. These files can be music or videos hosted on a network drive containing corporate presentations, a personal media server, or a P2P shared folder et cetera. When was the last time you hesitated in opening a movie file ?

As much as the new world of broadband multimedia presents new channels for entertainment and business opportunities, it is an attractive breeding ground for malware like any other popular application. Whether through a worm, using tools or hand-crafted, they are a penetration vector hard to resist for profiteering malware authors. McAfee Avert Labs recognises a rising trend in the manipulation of media files to embed or install malware. Heuristics and generic detection such as New Downloader.b
and Generic Downloader.bl are only some of the proactive measures to block such attempts. Internet users are advised to be precautious with sharing media files on a publicly writable folder or viewing media files from unknown sources — like you would with unsolicited e-mails and *.EXE files.

On Sunday November 5th, we blogged about a 0-day exploit discovered in the wild that was targeting a Microsoft XML Core Services vulnerability. McAfee Avert Labs had been tracking and monitoring the payload deployed by this exploit.

W32/Kibik.a was the detection name assigned on Sunday, which was soon included in the McAfee VirusScan DAT release the following week. With rootkit heuristics, behavioral detection and IP blacklists being the talk of the (security) town in recent years, W32/Kibik.a makes an interesting attempt to survive in this competitive matrix of today.

W32/Kibik.a is a parasite that attaches to Windows Explorer (explorer.exe), even covering backup copies of explorer.exe in system restore, service pack installation and windows installer folders, making it a hard time for the victims to restore the original system file. On the process list, explorer.exe has its perfectly legitimate presence; on disk, the infected explorer.exe file has no distinction in filesize because W32/Kibik.a attaches to unused segments in the original file. Behavioral detection products looking for rootkit characteristics or autorun register keys will find nothing, because there isn’t any rootkit or autorun key.

To make it even difficult to track for network administrators, W32/Kibik.a sends innocent looking search requests to Google Blogsearch – only the search keywords are unique hexadecimal strings. Google Blogsearch, unlike Google Web Search that we are most familiar with, indexes blog entries with RSS and Atom feeds from blog authors. This makes blog content more readily searchable than Web search. When indexed, search results can return dynamic data, such as URLs to download, or commands to execute in a synchronized manner. At the time of writing, W32/Kibik.a’s searches have not yielded any results thus far.

From silent installation via a 0-day exploit, to silent residence and operations and virtually silent and innocent looking Google search; W32/Kibik.a could well be the start of a new trend in scalable remote controlled malware (a.k.a. botnet) in 2007. It is no wonder with its stealthy elements, few security vendors had detected or repaired W32/Kibik.a to date.

McAfee Avert Labs continues to monitor W32/Kibik.a and other malware using these techniques.

Š